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Abstract 

We examine the combination of two directions in the field of privacy concerning computations 
over distributed private inputs - secure function evaluation (SFE) and differential privacy. While 
in both the goal is to privately evaluate some function of the individual inputs, the privacy 
requirements are significantly different. The general feasibility results for SFE suggest a natural 
paradigm for implementing differentially private analyses distributively: First choose ujhat to 
compute, i.e., a differentially private analysis; Then decide how to compute it, i.e., construct an 
SFE protocol for this analysis. 

We initiate an examination whether there are advantages to a paradigm where both decisions 
are made simultaneously. In particular, we investigate under which accuracy requirements it is 
beneficial to adapt this paradigm for computing a collection of functions including binary sum, 
gap threshold, and approximate median queries. Our results imply that when computing the 
binary sum of n distributed inputs then: 

• When we require that the error is o{y/n) and the number of rounds is constant, there is 
no benefit in the new paradigm. 

• When we allow an error of 0{^/n), the new paradigm yields more efficient protocols when 
we consider protocols that compute symmetric functions. 

Our results also yield new separations between the local and global models of computations for 
private data analysis. 
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1 Introduction 



We examine the combination of two directions in the field of privacy concerning distributed private 
inputs - secure function evaluation [26l [181 HI E] and differential privacy [HI [8] . While in both 
the goal is to privately evaluate some function of individual inputs, the privacy requirements are 
significantly different. 

Secure function evaluation (SFE) allows n parties pi, . . . ,pn, sharing a common interest in 
distributively computing a function /(•) of their inputs x = (xi, . . . to compute /(x) while 
making sure that no coalition of t or less curious parties learns more than the outcome of /(x). I.e., 
for every such coalition, executing the SFE protocol is equivalent to communicating with a trusted 
party that is given the private inputs x and releases /(x). SFE has been the subject of extensive 
cryptographic research (initiated in [26l [ISl IH H] ) , and SFE protocols exist for any feasible function 
/(•) in a variety of general settings. 

SFE is an important tool for achieving privacy of individual entries - no information about 
these entries is leaked beyond the outcome /(x). However this guarantee is insufficient in many 
applications, and care must be taken in choosing the function /(•) to be computed - any imple- 
mentation, no matter how secure, of a function /(•) that leaks individual information would not 
preserve individual privacy. 

A criterion for functions that preserve privacy of individual entries, differential privacy, has 
evolved in a sequence of recent works [71 [111 [HI [2l [TTl [H [9] . It has been demonstrated that dif- 
ferentially private analyses exist for a variety of tasks including the approximation of numerical 
functions (by adding carefully chosen random noise that conceals any single individual's contribu- 
tion) [111 [21 [22l [T7] , non- numerical analyses [2Qj , datamining [2^ i22j , learning [21 [19] , non- interactive 
sanitization [3l [131 [IS] ; ™d statistical analysis [IHl [21] . 

Employing the generality of SFE, we can combine these to directions in a natural paradigm for 
constructing protocols in which differential privacy is preserved: 

1. Decide on what to compute. This can be, e.g., a differentially private analysis /(•) that 
approximates a desired analysis /(•). Designing /(•) can be done while abstracting out all 
implementation issues, assuming the computation is performed by a trusted party that only 
announces the outcome of the analysis. 

2. Decide on how to compute, i.e., construct an SFE protocol for computing /(x) either by using 
one of the generic transformations of the feasibility results mentioned above, or by crafting 
an efficient protocol that utilizes the properties of /(•). 

This natural paradigm yields a conceptually simple recipe for constructing distributed analyses 
preserving differential privacy, and, furthermore, allows a valuable separation of our examinations 
of the what and how questions. 

Comparing the privacy requirements of SFE protocols with differential privacy suggests, how- 
ever, that this combination may result in sub-optimal protocols. For example, differential privacy 
is only concerned with how the view of a coalition changes when one (or only few) of the inputs 
are changed, whereas SFE protocols are required to keep these views indistinguishable even when 
significant changes occur, if these changes do not affect the computed function's outcome. Hence, it 
may be advantageous to consider a paradigm where the analysis to be computed and the protocol 
for computing it are chosen simultaneously. 
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1.1 Our Underlying Models 

The main distributed model we consider is of n honest-but-curious (a.k.a. semi-honest) parties 
Pi, . . . ,Pn that are connected via a complete network and perform a computation over their private 
inputs xi, . . . ,Xn- Privacy is required to be maintained with respect to all coalitions of size up to 
t. The model of honest-but-curious parties has been examined thoroughly in cryptography, and 
was shown to enable SFE in a variety of settings [26\ [T8| [U [3] . We change the standard definition 
so that differential privacy has to be maintained with respect to coalitions of curious parties (see 
Definition 12.41 below) . 

Another distributed model we consider is the local mode0. Protocols executing in the local 
model have a very simple communication structure, where each party pi can only communicate 
with a designated honest-but-curious party C, which we refer to as a curator. The communication 
can either be non-interactive, where each party sends a single message to the curator which replies 
with the protocol's outcome, or interactive, where several rounds of communication may take place. 

While it is probably most natural to consider a setting where the players are computationally 
limited (i.e., all are probabilistic polynomial time machines), we present our results in an informa- 
tion theoretic setting. This choice has two benefits: 

• Technically, it allows us to prove lower bounds on SFE protocols (where similar bounds 
are not known for the computational setting). Hence, we can rigorously demonstrate when 
constructing differentially private protocols is better than using the natural paradigm. 

• On the fiip side, our bounds on the information theoretic model demonstrate, for the first 
time, a setting where reliance on computational hardness assumptions strictly improves the 
construction of differentially private analyses. 

1.2 Our Results 

We initiate an examination of the paradigm where an analysis and the protocol for computing it 
are chosen simultaneously. We begin with two examples that present the potential benefits of using 
this paradigm: it can lead to simpler protocols, and more importantly it can lead to more efficient 
protocols. For the latter we consider the Binary Sum function, 

n 

SUM(xi, . . . ,x„) = for G {0, 1}. 

1=1 

The major part of this work examines whether constructing non-SFE protocols for computing 
an approximation /(•) to SUM(-) yields an efficiency Ignoring the dependency on the privacy 

parameter, our first observation is that for approximations with additive error ~ y/n there is a gain 
- for a natural class of symmetric approximation functions (informally, functions where the outcome 
does not depend on the order of inputs), it is possible to construct differentially private protocols 
that are much more efficient than any SFE protocol for a function in this class. Moreover, these 

^Also referred to in the literature as randomized response and input perturbation. This model was originally 
introduced by Warner [25] as a means of encouraging survey responders to answer truthfully, and has been studied 
extensively since. 

^We only consider oblivious protocols where the communication pattern is independent of input and randomness 
(see Section dm . 
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differentially private protocols are secure against coalitions of size up to t = n — 1, and need not 
rely on secure channels. 

The picture changes when we consider additive error smaller than -y/n. This follows from a 
sequence of results: 

1. We prove first that no such non-interactive protocols in the local model exist. Furthermore, 
no local protocols with I < ^/n rounds and additive error y/n/0{tj exist. 

2. We show that in particular, no local interactive protocol with o[^Jrl/\ogn) rounds exists for 
computing SUM(-) within constant additive error (this is in contrast to the centralized setup 
where SUM(-) can be computed within 0(1) additive error). 

3. Finally, we prove that the bounds on local protocols imply that no distributed protocols exist 
that use nt/A messages, and approximates SUM(-) within additive error y/njOif) in i rounds. 

Considering the natural paradigm, i.e., computing a differentially-private approximation to SUM(-) 
using SFE, we get a protocol for approximating SUM(-) with 0(1) additive error, and sending 0{nt) 
messages. Thus, for protocols with error o{^/n/e) and small number of rounds, there is no gain in 
using the paradigm of a simultaneous design of the function and its protocol. 

Our results imply that differentially private protocols constructed under computational hard- 
ness assumptions, yielding a computational version of differential privacy (see Definition 12. Sp . are 
provably more efficient than protocols that do not make use of computational hardness. For in- 
stance, the phase transition we observe at 9{\/n/£) additive error does not hold in a computational 
setting. See Example 12.61 for details. 

1.3 Techniques 

We prove our lowerbound for the distributed model in a sequence of reductions. We begin with a 
simple reduction from any differentially private protocol for SUM to a gap version of the threshold 
function, denoted GAP-TR. Henceforth, it is enough to prove our lowerbound for GAP-TR. 

In the heart of our lowerbound for GAP-TR is a transformation from efficient distributed 
protocols into local interactive protocols, showing that if there are distributed differentially-private 
protocols for GAP-TR(-) in which half of the parties interact with less than t + 1 parties, then there 
exist differentially-private protocols for GAP-TR(-) in the local interactive model. This allows us 
to prove our impossibility results in the local model, which is considerably simpler to analyze. 

In analyzing the local non-interactive model, we prove lowerbounds borrowing from analyses 
in [71 IH] . The main technical difference is that our analysis is a lowerbound and hence should hold 
for general protocols, whereas the work in [71 [H] was concerned with proving feasibility of privacy 
preserving computations (i.e., upperbounds) , and hence they analyze of very specific protocols. 

To extend our lowerbounds from the local non-interactive to interactive protocols, we decom- 
pose an £-round interactive protocol to I one-round protocols, analyze the I protocols, and use 
composition to obtain the lowerbound. 

1.4 Related Work 

Secure function evaluation and private data analysis were first tied together in the Our Data, Our- 
selves (ODO) protocols [9]. The constructions in [9j - distributed SFE protocols for generating 
shares of random noise used in private data analyses - follow the natural paradigm discussed above 
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(however, they avoid utilizing generic SFE feasibihty results to gain on efficiency). We note that a 
difference between the protocols in [9] and the discussion herein is that ODO protocols are secure 
against malicious parties, in a computational setup, whereas we deal with honest-but-curious par- 
ties, and mostly in an information theoretic setup. Following our work, computational differential 
privacy was considered in [21] ; they present several definitions of computational differential privacy, 
study the relationships between these definitions, and construct efficient 2-party computational dif- 
ferentially private protocols for approximating the distance between two vectors. In this work, we 
supply a definition of computationally {t, e)-differentially private protocols which is close to the 
definition of IND-CDP privacy in [21]. 

Lowerbounds on the local non-interactive model were previously presented implicitly in [23| 
[T9] , and explicitly in [71 [12] . The two latter works are mainly concerned with what is called the 
global (or centralized) interactive setup, but have also implications to approximation to SUM in the 
local non-interactive model, namely, that it is impossible to approximate it within additive error 
c^/n (for some constant c > 0), a slightly weaker result compared to our lowerbound of c^/nje for 
e-differentially private local non-interactive protocols. However, (to the best of our understanding) 
these implications of [71 [12] do not imply the lowerbounds we get for local interactive protocols and 
distributed protocols. 

Chor and Kushilevitz [5] consider the problem of securely computing modular sum when the 
inputs are distributed. They show that this task can be done while sending roughly n{t -|- l)/2 
messages. Furthermore, they prove that this number of messages is optimal for a family of protocols 
that they call oblivious. These are protocols where the communication pattern is fixed and does 
not depend on the inputs or random inputs. In our work we extend their lowerbound result and 
prove that with n(t + 1)/4 messages no symmetric approximation for SUM with sub-linear additive 
error can be computed in an oblivious protocol. 

1.5 Organization 

The rest of the paper is organized as follows: In Section [2] we define differentially private analyses 
and its extension to differentially private protocols (both information-theoretic and computational), 
describe the local model of communication, and define the binary sum and gap threshold functions. 
In Section [3l we present two motivating examples for our new methodology of simultaneously 
solving how and what. In Section U] we prove lowerbounds on the error of differentially private 
protocols for computing the binary sum and gap threshold functions in the local model, and in 
Section [5] we extend these lowerbounds to the distributed model. Finally, in Section [6] we prove 
that an SFE protocol for computing a symmetric approximation of the sum function with less than 
nt/4 messages has an error of ^(n) (compared to a non-SFE protocol that approximates the sum 
function with 0(n) messages and an error of 17 (-^/n)). 

2 Preliminaries 

Notation. A vector x = (xi, . . . ,x„) is an ordered sequence of n elements of some domain D. 
Vectors x, x' are neighboring if they differ on exactly one entry, and are T -neighboring if they differ 
on a single entry whose index is not in T C [n] . 

The Laplace distribution, Lap (A), is the continuous probability distribution with probability 
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density function 

For Y ~ Lap(A) we have that E[Y] = 0, Var[y] = 2X^, and Pr[|y| > kX] = e'^ . 

Definition 2.1 Let Dj, Dr, and R he sets. An n-ary randomized function is a function f : 
(D/)"" X Dr — )• R, where D = Dj is the domain of f and Dji is the set of random inputs. For 
X = (xi, . . . , Xn) G -D" we usually write /(x) with the underlying convention that f{xi, . . . , Xn) = 
/(xi, . . . ,x„,,r), where r is uniformly selected form Dr. Following this convention, we also usually 
omit Dji from the notation and write f : — )• R. 

2.1 Differential Privacy 

Our privacy definition for distributed protocols (Definition l2.4l below) can be viewed as a distributed 
variant of e-differential privacy. Informahy, a computation is differentially private if any change in 
a single individual input may only induce a small change in the distribution on its outcomes. 

Definition 2.2 (DifTerential privacy ^llj ) Let f : R he a randomized function from 

domain to range R. We say that f is e-differentially private if for all neighhoring vectors x, x', 
and for all possihle sets of outcomes V R it holds that 

Pr[/(x) G V] < • Pr[/(x') G V]. 

The probahility is taken over the randomness of f. 

Several frameworks for constructing differentially private functions by means of perturbation 
are presented in the literature (see [11^ [21 122| I20j). The most basic transformation on a function 
/ that yields a differentially private function is via the framework of global sensitivity [TT]. In this 
framework the outcome is obtained by adding to /(x) noise sampled from the Laplace distribution, 
calibrated to the global sensitivity of /, defined as 

GSf = max|/(x) — /(x')|, with the maximum taken over neighboring x,x'. 
Formally, / is defined as 

/(x) = /(x) + y, where Y ~ Lap(GS//e). (1) 

Example 2.3 The binary sum function SUM : {0, 1}" -)> R is defined as SUM(x) = Y17=i ^i- ^or 
every two neighhoring x, x' G {0, 1}" we have that \ SUM(x) — SUM(x')| = 1 and hence GSsuM = 
1. Applying Equation (Op, we get an e-differentially private approximation, /(x) = SUM(x) + 
y, where Y ~ Lap(l/e), that is, we get a differentially private approximation of SUM with 0(1) 
additive error. 
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2.2 Differentially Private Protocols 

We consider a distributed setting, where n parties pi, . . . ,pn hold private inputs xi, . . . ,Xn respec- 
tively and engage in a protocol 11 in order to compute (or approximate) a function /(•) of their 
joint inputs. Parties are honest-but-curious, which means they follow the prescribed randomized 
protocol. However, as the execution of the protocol terminates, colluding parties can try to infer 
information about inputs of parties outside the coalition, given their joint view of the execution. 

The protocol 11 is executed in a synchronous environment with point-to-point secure (untap- 
pable) communication channels, and is required to preserve privacy with respect to coalitions of 
up to t parties. Following [5j, we assume that the protocol 11 has a fixed- communication pattern 
(such protocols are called oblivious), i.e., every channel is either (i) active in every run of 11 (i.e., 
at least one bit is sent over the channel), or (ii) never usec^. Parties that are adjacent to at least 
t -|- 1 active channels are called popular other parties are called lonely. 

The main definition we will work with is an extension of Definition 12.21 to a distributed setting. 
Informally, we require that differential privacy is preserved with respect to any coalition of size up 
to t. 

Definition 2.4 (Distributed differential privacy) Let U be a protocol between n (honest-but- 
curious) parties. For a set T C [n] and fixed inputs x = (xi, . . . , x„), let ViewT(xi, . . . , x„) be the 
random variable containing the inputs of the parties in T (i.e., {xi}j^^rp), the random inputs of the 
parties in T, and the messages that the parties in T received during the execution of the protocol 
with private inputs x = (xi, . . . , Xn) (the randomness is taken over the random inputs of the parties 
not in T). 

We say that 11 is [t, e)-differentially private if for all T C [n], where \T\ < t, for all T -neighboring 
x,x', and for all possible sets Vt of views of the parties in T: 

Pr[ViewT(x) G Vt] < • Pr [Viewy (x') G Vt], (2) 

where the probabilities are taken over the random inputs of the parties in the protocol 11. 

An equivalent requirement is that for all T C [n], where \T\ < t, for all T-neighboring x, x', 
and for all distinguishers D (i.e., functions, not necessarily efficiently computable, from views to 
{0,1}), 

Pr[Z)(ViewT(x)) = 1] < • Pr[D(ViewT(x')) = 1]. 
This requirement can be relaxed to only consider distinguishers that are computationally bounded: 

Definition 2.5 (Computational distributed differential privacy) We say that U is compu- 
tationally (t, e)-differentially private if for every probabilistic polynomial-time algorithm D, and for 
every polynomial p{-), there exists ko such that for all k > ko, for all T C [n], where \T\ < t, and 
for all T-neighboring inputs x,x' G ({0, l}'^)": 

Pr[Z?(ViewT(x)) = 1] < • Pr[D(ViewT(x')) = 1] + , ^ , 

p[n ■ k) 

where the probabilities are taken over the random inputs of the parties in protocol 11 and the ran- 
domness of D. 

^Our proofs also work in a rela:xed setting where every channel is either (i) used in at least a constant fraction of 
the runs of 11 (where the probability is taken over the coins of 11), or (ii) is never used. 
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Example 2.6 We next describe a computationally {n / 2, e)- differentially private protocol for com- 
puting SUM with 0(logn/e) additive error, 0{n) messages, and constant number of rounds. This 
protocol uses a homomorphic encryption scheme with threshold decryption (that is, only the sets of 
all parties can decrypt messages). For example, if we use ElGamal encryption, the distributed key 
generation and decryption require one round in which each party sends one message. The protocol 
works in three phases: 

Key Generation. The parties generate public and private keys for the homomorphic encryption 
scheme with threshold decryption. 

Encryption. Each party pi chooses a random noisej ( according to a distribution that will be defined 
later), computes yi = Xi + noisej, encrypts yi using the public encryption key and sends the 
encryption to pi . 

Decryption. Party pi computes z, an encryption ofy = Yli=i" Vi (this is possible as the encryption 
scheme is homomorphic). pi sends z to each pi, which in return sends a decryption message 
back to pi . Finally, pi decrypts y from the decryption messages and sends y to all parties. 

One way to generate each party's noise is for each party to sample from the Normal distribution 
with mean zero and variance 61og^ n/(ne^). Since the sum of normal random variables is a normal 
random variable, y = X^j^^n + noise where noise is sampled from a normal distribution with mean 
zero and variance 61og^n/e^. Furthermore, even if a coalition of n/2 parties subtracts the noise 
that its parties added to y, the variance of the remaining noise is 31og^n/e^. Using the analysis 
of JS^, the protocol is a computationally {n/2, e)- differentially private protocol which with constant 
probability has error 0(logn/e). 

The above protocol is a computationally (n/2, e)- differentially private protocol for computing 
SUM with 0(logn/e) additive error, 0{n) messages, and constant number of rounds. In contrast, 
we prove that {n/2, e)- differentially information-theoretically private protocol for computing SUM 
with o{^/n) additive error and constant number of rounds must send Q{n'^) messages. Thus, our 
results shows that requiring only computational differentially-privacy does result in more efficient 
protocols. 

Using standard SFE feasibility results (in the computational setting), it is possible now to prove 
that the natural paradigm presented in Section [1] yields protocols that adhere to Definition 12.51 
Consider an e-differentially private data analysis / and a computationally bounded distinguisher 
D, trying distinguish between a computation of an SFE protocol computing / with neighboring 
inputs X and x'. Since, / preserves differential privacy the distributions on the outputs must be 
e close, the same must hold for the random variables describing the adversary's view (up to some 
negligible function in the length of the (concatenated) inputs). We get: 

Lemma 2.7 (Informal) Let f be e-differentially private, and let H be a t-secure protocol comput- 
ing f, then n is computationally {t,e)- differentially private. 

In the above lemma, the if the t-secure protocol 11 computing / has perfect security, then 11 is 
information-theoretically {t, e)-differentially private. 

Remark 2.8 We will only consider protocols computing a (randomized) function /(•) resulting in 
all parties computing the same outcome of f{-x). This can be achieved, e.g., by having one party 
compute /(x) and send the outcome to all other parties. 
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2.3 Distributed Protocols — Basic Observations 



The following notation and basic observations are used throughout the paper. 

Notation 2.9 Fix an n-party randomized protocol H and fix some communication transcript c. 
Assume that party pi holds an input Xi and receives messages according to the transcript c. We 
define a^{xi) to be the probability that on input Xi party pi sends messages that are consistent with 
transcript c, given that it receives messages that are consistent with c. The probability is taken 
over the randomness of party pi. 

Let I be the number of rounds in 11. Assume, without loss of generality, that pi receives and 
sends messages in every round, and let f3j (where 1 < j < ^) be the probability on input Xi party pi 
sends in round j messages that are consistent with transcript c, provided that in previous rounds 
Pi sees messages that are consistent with c. Then, by the chain rule of conditional probabilities we 
have that 

e 

i=i 

Observe that the event that pi sends messages according to c when it sees messages according to 
c depends only on the randomness rj, and hence this event is independent of whether the other 
parties send messages according to c when they see messages according to c. We hence get the 
following lemma: 

Lemma 2.10 Fix an n-party randomized protocol H, assume that each pi holds an input Xi, and 
fix some communication transcript c. Then, the probability that c is exchanged is YYi=i (^ii^i)- 

2.4 The Local Model 

The local model (previously discussed in [111 I19j ) is a simplified distributed communication model 
where the parties communicate via a designated party - a curato70 - denoted C. The curator has 
no local input. We will consider two types of differentially private local protocols - interactive and 
non- interactive. 

In non-interactive local protocols each party pi applies an e-differentially private algorithm Si 
on its private input Xi and randomness r^, and sends Si{xi,ri) to C that then performs an arbitrary 
computation and publishes its result. 

In interactive local protocols the protocol proceeds in rounds, where in each round j the cu- 
rator sends to each party pi a "query" message qi^j and party pi responds with the jth "answer" 
Ai{xi, Qi^i, . . . , qij,ri)] the answer is a function of the party's input Xj, its random input rj, and the 
first j queries. I.e., each round consists of two communication phases: first, the query messages are 
sent by the curator, then, each party sends the appropriate response message. 

We note that in the honest-but-curious setting we can assume, without loss of generality, that 
the curator is deterministic, as randomness for the curator may be provided by parties in their first 
message. 

^Unlike in a centralized setting where the curator is a trusted party that collects raw private information, in the 
local model the curator is a non-trusted party. In our setting, the curator is semi- honest. 
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Definition 2.11 (DiflFerential privacy in the local model) We say that a protocol H in the 
local model is e-differentially private if the curator's view preserves e- differential privacy. Formally, 
for all neighboring x, x' and for every possible set Vc of views of the curator: 

Pr[Viewc(x) € Vc] < ■ Pr[Viewc(x') G Vc], 

where View(7(x) is the random variable containing the messages that C receives during the execution 
of the protocol with private inputs x = (xi, . . . and the probability is taken over the random 
inputs of the parties. 

We note that Viewc(x) is defined in accordance with Definition [23] (with some abuse of notation, 
as we write C instead of {C}). However, since C has no initial input and since C is assumed to 
be deterministic, it is enough to include in Viewc(x) only the messages that C receives during the 
execution of the protocol with inputs x = {xi, . . . , 

Differential privacy in the local model may be equivalently phrased as a requirement to preserve 
the privacy of each party independently of other parties. We next give a definition in this spirit by 
considering the probabilities that a party pi replies in a certain way to a given sequence of queries 
with, say, Xj = and with, say, Xi = 1. Any communication transcript c in an execution of the 
protocol defines a transcript Cj, where 

Cj = {qi,i,ai,i, ■ ■ ■ , Qi/, 

is the restriction of c to the messages transferred between party pi and the curator (recall that 
in the local model every party communicates solely with the curator). Thus, we can use a^*(rcj) 
(see Notation 12. 9p to denote the probability that pi with private input Xi replies by Cj^i, . . . ,aj^£ 
provided the curator has sent queries gj^i, . . . Using this notation, we present the alternative 
definition of privacy in the local model. 

Definition 2.12 (Differential privacy in the local model by individual privacy) We say that 
a protocol IT in the local model is e-differentially private if the curator's view preserves e- differential 
privacy with respect to each party separately. Formally, for every i G [n] and for any possible com- 
munication transcript Cj = (^i.i, a^^i, . . . , qi^i, ai^g) between party pi and the curator (i.e., there exist 
inputs x'l, . . . , x'^ and random inputs r[, . . . ,r'^ consistent with Ci), and for every Xi,yi £ D it holds 
that 

a^^ixi) < e' ■a'T^ivi), 
where the probabilities are taken over the random input of pi. 

Claim 2.13 Definition \2.11\ is equivalent to Definition \2.1SX 

Proof: We prove implications in both directions. 

Definition 12.111 =^ Definition I2.12t Let 11 be according to Definition 12.111 Given a possible 
transcript Cj of messages between party pi and C, choose any possible transcript c = (ci, . . . , c„) 
that is consistent with q. We get that for all Xi,yi, 

aTi^i) _ <^?i^i) Iljj^i'^7(^i^ _ Pr[Viewc(a:i, . . . ,Xi-i,Xi,Xi+i, ...,Xn) = c] ^ 
a?(yi) Uj^i Ci'j'ixj) Pr[Viewc(xi, . . . , y^, Xi+i, . . . , x„) = c] ~ 

where the last equality follows by Lemma 12.101 the last inequality follows from 11 being 
e-differentially private according to Definition 12.111 noting that (xi, . . . , Xj, Xj+i, x^) and 
(xi, . . . , Xi_i, yi, Xj+i, x„) are neighboring. 
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Definition 12.121 =^ Definition 12. lit Let tt be according to Definition 12.121 Given a possible 
transcript c = (ci, . . . , c„) and neigliboring inputs (rci, . . . , Xj-i, a;,, rcj+i, x„) and (xi, . . . , Xj-i, yj, Xj+i, 
we have tliat 

Pr[Viewc(xi, . . . ,Xi-i,Xi,Xi+i, ...,Xn) = c] _ af(xj) _ Ylj-^j ajjxj) _ a'r'{xi) ^ 
Pr[Viewc(xi,...,Xi_i,yi,Xi+i,...,Xn) = c] af(yi) njyi«j(a;i) Oii'iVi) ~ 

wliere tlie first equality follows by Lemma 12.101 and the the inequality follows from H being £- 
differentially private according to Definition 12.121 □ 
Claim \2.13\ implies that, in the information-theoretic local model, requiring differential privacy 
for the curator implies differential privacy with respect to every coalition. 

2.5 Approximation 

We will construct protocols whose outcome approximates a function / : D" — )■ M by a probabilistic 
function, according to the following definition: 

Definition 2.14 (Approximation) A randomized function f : Z?" — t- M is an additive (7, r)- 
approximation for a ( deterministic ) function f if 



Pr 



|/(x)-/(x)| >T(n) <7(n) 



for all X G D"". The probability is over the randomness of f. 

For example, by the properties of the Laplace distribution. Equation ([1]) yields an additive 
{e~^,k ■ GSj/e)-approximation to /, for every > 0. 

2.6 The Binary Sum and Gap Threshold Functions 

The binary sum function is defined to be SUM„(3;i, . . . , x„) = Yll=i ^ {0' 1} (^^^ subscript 

n is omitted when it is clear from the context). We will use a gap (or promise) version of the 
threshold function: 



Definition 2.15 (Gap Threshold) For k,t >0 

GAP-TR,,,(xi,...,x„) = 



If S\JMn{xi,...,Xn) < K, 

1 If SVMn{xi,...,Xn)> K + T. 

Note that GAP-TRk,t(2;i, • • • , Xn) is not defined when k, < SUM„(xi, . . . , x„) < k + r. 

It is easy to transform any (7, r/2)-approximation / of SUM to a (7, 0)-approximation g to 
GAP-TR 

K,r- given y — /(x) for SUMn(x), set the gi^) to be if y < k + t/2 and 1 otherwise. We 
get the following simple corollary: 

Corollary 2.16 If there exists an £-round, {t,e)- differentially private protocol (resp. e- differentially 
private protocol in the local model) that [-^,7 /I) -approximates SUM„ sending p messages, then for 
every n there exists an i-round, {t,e)- differentially private protocol (resp. e- differentially private 
protocol in the local model) that correctly computes GAP-TR^ with probability at least 1 — 7, 
sending at most p messages. 
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Specifically, non-existence of {t, e)-differentially private protocols for computing GAP-TRo,r 
correctly with n(t + l)/4 messages implies that there exists no (t, e)-differentially private protocols 
for computing SUM„ with n{t + l)/4 messages and additive error magnitude r/2. The next claim 
asserts that the same non-existence also implies that, for any < k < n — r, there exists no 
(t, e)-differentially private protocol for computing GAP-TR^^r correctly with n{t + l)/8 messages. 
Again, it applies to both the distributed and the local models. 

Claim 2.17 If for some < n < n — t there exists an H-round, {t^e)- differentially private 
(respectively, e- differentially private in the local model) n-party protocol that correctly computes 
GAP-TRk.t with probability at least 7 sending at most p messages, then there exists an i-round, 
{t / 2, e)- differentially private (respectively, e- differentially private in the local model) n/2-party pro- 
tocol that correctly computes GAP-TRq^t- with probability at least 7 sending at most p messages. 

Proof: For k < n/2, given an n-party protocol 11 that correctly computes GAP-TRfj,r) de- 
fine an n/2-party protocol 11' for computing GAP-TRo,r by simulating parties P^+ij ■ ■ ■ iPn where 
xn+i, . . . , 2;|+K are set to 1 and x^+k+i, . . . ,Xn are set to 0. In the local model, a designated party, 
say pi, can simulate these n/2 parties. In the distributed model, we let each party pi simulate party 

Pi+n/2- 

Observe that in the distributed model any view v of a coalition T' of size t' < t/2 in some 
execution of the resulting protocol, is exactly the view of the coalition T of size 2t' < t, implied 
by T' (for pi G T' we have Pi,Pi-\-n/2 ^ i^i the appropriate computation of the original protocol. 
Moreover, any T'-neighboring x, x' define T-neighboring xy,x'y (where y = 1*^0 z""**), such that 
Pr[View7i(xy) = v] = Pr[ViewT'(x) = v] and Pr [Viewy (x'y) = v] = Pr[Viewj'/(x') = v]. Thus, by 
the privacy of the original protocol, the resulting protocol is (t/2, e)-differentially private. 

For K > n/2, we can use the construction above to compute GAP-TR„_K-T,r; by flipping all 
input bits (that is, changing 1 to and vise-versa) before engaging in the execution, running the 
protocol, and finally flipping the result of the computation. □ 

3 Motivating Examples 

We begin with two examples manifesting benefits of choosing an analysis together with a differen- 
tially private protocol for computing it. In the first example, this paradigm yields more efficient 
protocols than the natural paradigm; in the second example, it yields simpler protocols. 

3.1 Binary Sum — y/n Additive Error 

We begin with a simple protocol for approximating SUM„ within 0(y^/e)-additive approximation. 
This protocol is well known as Randomized Response [25\. We describe the protocol in the (non- 
interactive) local model, and it can be easily translated to a two round (and 2n messages) (n, e)- 
differentially private distributed protocol by letting some arbitrarily designated party (say pi) play 
the role of C. 

Let fiip„(x) be a randomized bit fiipping operator returning x with probability 0.5 + a and 1 — x 
otherwise, where a = j^^- The protocol proceeds as follows: 

1. Each party pi with private input Xj G {0, 1} sends = iiip^{xi) to C. 

2. C locally computes and publishes k = J2i=i ^i- 
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3. Each party locally computes f = {k — (0.5 — a)n)/2a. 

A total of 0{n) messages and 0(n log n) bits of communication are exchanged. To see that the 
protocol satisfies the privacy requirement of Definition 12.121 note that 

Pr[flip,(l) = l] _ 0.5 + a _ , 
Pr[flip„(0) = 1] 0.5 -a 

and similarly Pr[flip^(0) = 0]/ Pr[flipQ,(l) = 0] < e^. To see that the protocol approximates the 
sum function, note that 



Thus, 



0.5 + Q if Xj = 1 
0.5 — a if Xi = 0. 



E[k] = (0.5 + a) • SUM(x) + (0.5 - a) ■ {n - SUM(x)) = 2a ■ SUM(x) + (0.5 - a)n, 
and hence. 



E[/] = E 



k — (0.5 — a)n 
2^ 



SUM(x) 



By an application of the Chernoff bound, we get that / is an additive (0(1), 0(-y/n/e))-approximation 
to SUM(-), that is, with constant probability, the error is 0{y/n/e). 

Remark 3.1 We next sketch an alternative e- differentially private protocol that {0{\),^/n/e)- 
approximates SUM„.- 

1. Each party pi with private input Xi G {0, 1} samples yi ~ Lap(l/e) and sends Zi = Xi + yi to 
C. 

2. C locally computes f = X^iLi ■^i ^'^'^ publishes the result. 

The privacy of the protocol follows from the arguments in Section \2.1\ 



Remark 3.2 The above constructions result in symmetric approximations to SUM(-) (i.e., the 
output distribution depends solely on SUM(-) and not on the specific assignment). While these 
differentially private protocols use 0{n) messages, it can be shown that for such symmetric functions 
that no efficient SFE protocols for such functions exist (see Section\^for more details). 

3.2 Distance from a Long Subsequence of O's 

Our second function measures how many bits in a sequence x of n bits should be set to zero to get 
an all-zero consecutive subsequence of length n". In other words, the function should return the 
minimum weight over all substrings of x of length bits: 
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For t < n/2 we present a (t, e, 5)-difFerentially private protocol! approximating DISTq(x) with 
additive error 0{n°'f^ / e). 

In our protocol, we treat the n-bit string x (where is held by party pi) as a sequence of 
ji}-a/?> (disjoint intervals, each n"/^ bit long. Let zi, . . . , i^i-c/a be the indices of the first bit in each 
interval, and observe that ^^^^^.{Yl]''=i^ ~^ -^j) n"^/^ additive approximation of DISTc,. The 

protocol for computing an approximation / to DISTq, is sketched below. 

1. Every party pi generates a random variable Yi distributed according to the normal distribution 

N{fi = 0, fj^ = 2R/n) where R = , and shares Xi + Yi between the parties pi, . . . 

using an additive (t + l)-out-of-(t + 1) secret sharing schem^. 

2. Every party pi, where 1 < i < t + 1, sums, for every interval of length n"/^, the shares it got 
from the parties in the interval and sends this sum to pi. 

3. For every interval of length n"/^, party pi computes the sum of the t +1 sums it got for the 
interval. By the additivity of the secret sharing scheme, this sum is equal to 

Sk= ^ {xj + Yj) = ^ Xj + Zk, 

j=ik j=ik 

where = Yfjl^f^'''^ (notice that Zk ~ N{n = 0,a^ = 2R)). 

4. pi computes min^ Yl^=k ^ and sends this output to all parties. 

Using the analysis of [9j, this protocol is a (t, e, (5)-differentially private protocol when 2t < n. 
Furthermore, it can be shown that with high probability the additive error is 
conclude, we showed a simple 3 round protocol for DIST,^ . 

This protocol demonstrates two advantages of the paradigm of choosing what and how together. 
First, we choose an approximation of DISTq, (i.e., we compute the minimum of subsequences 
starting at a beginning of an interval). This approximation reduces the communication in the 
protocol. Second, we leak information beyond the output of the protocol, as pi learns the sums 

4 Lowerbounds on the Error of Binary Sum and Gap-Threshold 
in the Local Model 

We prove that any f-round e-differentially private protocol in the local model for computing the bi- 
nary sum function must exhibit an additive error of il.{y/n/0{i)). By Cor ollar v 1 2 . 1 6 1 and Claim [2T71 
it suffices to prove that such a protocol can only compute GAP-TRo,r for r = il,(^/n/0{i)) (i.e., 

^ (e, (5)-differential privacy is a generalization, defined in |9], of e-difTerential privacy where it is only required that 
Pr[/(x) e V] < ■ Pr[/(x') e V] + S . 

® Shared secrets are taken from a finite domain by rounding the numbers logn digits after the point. This yields 
no breach in privacy and adds a small magnitude of error. 

''One can use the techniques of [6] to avoid leaking these sums while maintaining a constant number of rounds, 
however the resulting protocol is less efficient. 
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the parameter k is set to zero). For that, we show that there are two input vectors ~ one containing 
Q(^yn) ones, and the other is all zero - for which the curator sees similar distributions on the 
messages, and hence must return similar answers. 

We will begin by having the non-zero vector be distributed according to a probability distribu- 
tion A (on n-bit vectors). This implies that a specific choice for this vector exists. In the following 
we set 

a = —r=. (3) 

ey an 



where d > 1 (the value of d, which is a function of the number of rounds in the protocol is 
determined later). 

Notation 4.1 Define the distribution A on inputs from {0, 1}" as follows: a vector x = (xi, . . . , x„) 
is chosen, where rcj = 1 with probability a and Xj = with probability (1 — a) (each input xi is 
chosen independently). 

We use X to identify the random variable representing the joint input and Xi for the random 
variable corresponding to its i-th coordinate. The notation Pr_4[-] is used when a probability over 
the choice of X from A is considered. For a set D of possible curator's views we use the notation 
Pr_4 [D] to denote the probability of the event that the view of the curator falls in D when the joint 
input X is chosen according to A. 



Main steps of the proof: In Section 14.11 we analyze properties of non-interactive differentially 
private protocols in the local model, and show that a curator, trying to distinguish between an 
input chosen according to distribution A and the all zero input, fails with constant probability. In 
Section 14.21 we generalize this analysis to interactive protocols in the local model. In Section 14.31 
we complete the proof of the lowerbound on the gap-threshold function in the local model. 



4.1 Differentially Private Protocols in the Non-Interactive Local Model 

Consider protocols in the non-interactive local model where each party holds an input Xi £ {0, 1} 
and independently applies an algorithm Si (also called a sanitizer) before sending the sanitized 
result Cj to the curator. We want to prove that if each Si is 2e-differentially private for some 
< e < lH, then the curator errs with constant probability when trying to distinguish between an 
input chosen according to distribution A and (where is the vector 0"jf|. 

For every possible view c = (ci, . . . , Cn) of the curator C, we consider the ratios of the probability 
of receiving messages according to c when the input is chosen according to A and when it is 0. The 
probability is over the randomness of the protocol, and over the choice according to distribution A 
where specified: 



r(c) 



Pr^ 



Viewc(X) = c 



Pr 



View (7(0) = c 



and rj(ci) 



Pr^ 


Si{Xi) = a 


Pr 


Si{0) = c, 





(4) 



We can relax the condition e < 1 by a condition e < £0 for any constant eo > 1- This would affect some of the 
constants in the calculations below. 

®We consider protocols that are 2£-differentially private to simplify the notation in Section [4.21 
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Since in a non-interactive protocol Pr[Viewc(0) = c] = HILi ^^A[Si{0) = q] (the sanitizers Si use 
independent randomness) and Pr_4[Viewc(X) = c] = IliLi -^^-^['^^("^j) ~ '^d (^he sanitizers Si use 
independent randomness and the entries of the random variable X are chosen independently), we 
have that 



r(c) = JJri(ci). 



(5) 



i=l 



We next show that if the inputs are selected according to A, then with constant probability 
r(c) is bounded by a constant. In other words, for those views c of the curator that are likely 
when inputs are selected according to A, the probability of seeing c when the protocol is executed 
with inputs selected according to A is similar to the probability of seeing c when the protocol is 
executed with inputs set to zero. 

Define a random variable C = (Ci, . . . , Cn) where = Si{Xi) and Xi is chosen according to 

the distribution A. Defining the random variables Vi = Inrj(Cj), we can write for every rj > 0: 



Prfr(C) > r?l = Pr 



.i=l 



Pr 

A 



.1=1 



Vi > ln?7 



(6) 



where the first equality is by ([5]) above. In the next two lemmas we show that each variable Vi is 
bounded, and bound its expectation. Both proofs use the 2e-differential privacy of the sanitizers. 
These bounds are then used with the Hoeffding bound in Lemma r4. 51 where we bound Pr_4[r(C) > t]]. 

Lemma 4.2 For every i and for any < e < 1, with probability one, 1 — 2ae < r(cj) < 1 + 4ae 
and —Aae <Vi< 4ae. 



Proof: For every i and every value Cj, 

VvA[Si{Xi) = a] _ a¥T[Si{l) = q] + (1 - a) Pr[5,(0) = a 



ri{ci) 



Pr[5.(0) 



Pr[5i(0) = Ci] 



l+a 



Pr[5i(l) 



Pr[5i(0) = Ci 



Using < gjljoj-;;;] < we get that 



1 + a(e 



-2e 



l)<n{ci)<l + a{e^' -I). 



Using e < 1 + Ax and 1 — e~ < 2x for < x < 1, we get 1 — 2ae < ri(Ci) < 1 + 4ae. Recall 
that Vi = In rj(Ci). Using ln(l + x) < x and ln(l — x) > —2x for < x < 0.5 and noting that 
a = l/{e\fdn) and hence 4ae ^ 0.5, we get that — 4ae <Vi< Aae. □ 

Lemma 4.3 For every i and for any < e < 1, 

Proof: For the proof, we assume that the output of Si is in a countable set. Let 

Bb = {ci : ri{ci) = 1 + 6} for - 2ae <b< 4ae. 

Lemma 14.21 implies that these are the only values possible for b. By the definition of rj, for every 
Ci G Bb, 

FiAlSiiXi) = Ci 



Pr[5i(0) 



r{ci) = 1 + 6, 
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and hence, 



1 + ^ 

Let /3 = 2ae. We next bound E[Vi\: 

E[Vi\ = E^[lnr(Q)]= ^ Pr[5,(X,) G Bfe] • ln(l + 6) 

-/3<fe<2/3 



(7) 



^ A 



(8) 



-/3<6<2^ 



^ Pr[5i(Xi) Gi?f,]- (1 + 262)- ^ Pr[5,(Xi)GB6]-(l-6 + 262) (9) 



-/3<6<2^ 



-fS<b<2l3 



Where ([SI follows by ln(l+6) < b. Using ([7]) we can replace the second term in ([9]) by J2-i3<b<2i3 

[Si{0) G 

and get 

nVi] < (1 + 2(2/3)2) ^ Pr[5,(X,) G - ^ Pr[Si(0) G i^f,] 

~l3<b<2l3 -/3<fe<2/3 
= (1 + 8/3^) . Pr[Si(XO G Ub^fe] - Pr[5,(0) G UfeSf,] 

< (1 + 8/3^) . 1 - 1 = 8/3^ = 32a2e2. 



□ 



By Lemma [Ol EE"=i l^i] = EILil^I^i] < 'i^a'^e'^n = 32/(i. We next prove Lemma which 
shows that X^ILi ^ concentrated around this value. We use the Hoeffding bound: 

Theorem 4.4 (Hoeffding bound) Let Vi, . . . , V„ be independent random variables such that Vi G 
[a, b] and J2i=i ^[^«] = ^/len, /or every t > 0, 



Pr 



X] - > * 



Li=l 



< exp 



2t' 



n{b — a)' 



Lemma 4.5 Pr^[r(C) > exp{u/d)] < exp [—{v — 32)V32(i) for every v > 32. 
Proof: By Equation Lemma 14.21 Lemma 14.31 and substituting a = — ]=: 

eydn 



Pr[r(C) > exp(i//d)] = Pr 



A 



< 



A 



Pr 
A 



.i=l 



> 



< Pr 
A 



1=1 i=l 
n n 



i=l 



i=\ i=l 



exp 



2(^-n-32aV)2 



64 na^ 
exp [—{v — 32)V32(i) . 
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□ 

We now rephrase Lemma 14.51 in a way that would be more convenient for our argument in the 
next section. Let 11 be a 2e-private, non- interactive, local protocol, where < e < 1. For a possible 
curator's view c, let 

p_4(c) = Pr[Viewc(X) = c] and po{c) = Pr[Viewc(0) = c], 

where in pj\_{c) the probability is taken over the choice of X according to the distribution A and the 
randomness of H, and in po{c) the probability is taken over the randomness of 11. The following 
corollary follows from Lemma 14.51 and the definition of r in Equation (j4]) . 

Corollary 4.6 Assume we execute 11 with input sampled according to distribution A, then for every 
V > 32, with probability at least 1 — exp (— (i^ — 32)^/32d) , the curator's view satisfies: 

Pa{c) < exp(z^/(i) •po(c), 

where the probability is taken over the random choice from A and the randomness of 11. 

4.2 Differentially Private Protocols in the Interactive Local Model 

In this section we generalize Corollary 14.61 to interactive local protocols where each party holds an 
input Xi G {0, 1}. The structure of our argument is as follows: 

1. We decompose an ^-round e-differentially private protocol 11 into i non-interactive, local 
protocols, and prove that each of the i protocols is 2e-differentially private. Thus, we can 
apply Corollarv 14.61 to each protocol. 

2. We view the original protocol as a protocol between the curator and a single party, simulating 
the other n parties. In this protocol the curator's goal is to determine whether inputs are all 
zero or they are sampled according to A. We apply a composition lemma to show that the 
curator's success probability does not increase by too much as £ grows. Clearly, this is true 
also for the original protocol. 

4.2.1 A Composition Lemma 

Consider an interactive protocol, where a (deterministic) curator C sends adaptive queries to a 
single (randomized) party p holding a private input x G {0, 1} in a similar setup to that of the local 
model (except that we make no requirement for e-differential privacy). We assume that the party 
p is stateless and that in each round 1 < j < ^, the protocol proceeds as follows: 

1. In the first phase of round j, the curator C sends p a message qj (this message is also called 
the query); this message is a function of the round number j and the messages the curator 
got from p in the previous rounds. 

2. In the second phase of round j, party p chooses fresh random coins and based on these coins 
and the query qj it computes a message Vj and sends it to the curator. We consider the 
randomized function computing the message Vj as an algorithm Aj, that is, Vj = Aj{x). 
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Definition 4.7 We say that a possible outcome Vj is e-good for algorithm Aj if Pr[^j(l) = 

V] < e^Pr[yl(0) = V], where the probabilities are taken over the randomness of algorithm Aj. An 
algorithm Aj is (e, 6)-good if Pr[ylj(l) is e-good for Aj] >l — 6, where the probability is taken over 
the randomness of Aj. 

Let n be a protocol, as defined above, in wiiich for every j and every transcript of messages 
Vi, . . . , Vj_i, sent by p in rounds 1, . . . ,j — 1, the curator C replies with a query qj, such that 
the algorithm Aj resulting from qj is an (e, (5)-good algorithm. Define a randomized algorithm A 
that simulates the interaction between p and C, i.e., given input x € {0, 1} it outputs a transcript 

Vi, (?2, V2, ■ ■ ■ ,qi, Ve) sampled according to Il{x). 

Lemma 4.8 A is {ie, 1 — (1 — 5Y)-good. 

Proof: Choose a random transcript (gi, Vi, g2, V2, • • • , Q^, V^), and let Ai,A2,...,A£ be the 
algorithms defined by this transcript. By our assumptions all these algorithms are (e, 5)-good. 
Thus, with probability at least (1 — SY, the transcript V = (gi, Vi, 52, V2, ■ ■ ■ ,qe, Ve) is such that Vj 
is £-good for Aj for all I < j < i. It suffices, hence, to prove that when that happens the transcript 
V is fe-good for A, and indeed. 



Pr[i(l) = (gi, Vi, g2, V2, . . . , qe, Ve)] = JJ Pr[A, (l) = V,] 



< lle^-Pr[Aj{0) = Vj] 



I 

= e'^.l[Pv[Aj{0)=Vj] 

= e^' ■ Pr [1(0) = (gi , Vi , g2, V2 , . . . , g^ V^)] • 

The first and last equalities follow by independence and by the fact that the curator is deterministic. 
The inequality follows by the ^-goodness of Vi, . . . , V^. □ 



4.2.2 The Main Lemma 

Let n be an £-round, local, e-differentially private protocol, where < e < 1. For a possible 
curator's view c, let 

Pa{^) = Pr[Viewc(X) = c] and Po(c) = Pr[Viewc(0) = c], 

where in pa{c) the probability is taken over the choice of X according to the distribution A and 
the randomness of H, and in po (c) the probability is taken over the randomness of H. 

Lemma 4.9 Assume we execute H with input sampled according to distribution A, then for every 
V > 32, with probability at least 1 — £ ■ exp — 32)^/32(i), the curator's view satisfies: 

Pa{c) < exp {£u/d) ■ po{c), 

where the probability is taken over the random choice from distribution A and the randomness of 

n. 
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Proof: Recall that in the interactive local model, a protocol is composed of ^-rounds where in 
each round the curator sends a query to each party and the party sends an answer. We modify 
the protocol, to make the parties stateless, by introducing the following changes to the interaction 
between the curator and every party pi. Both changes do not affect the privacy of the protocol, 
nor its outcome. 

1. In round j the curator sends all queries and answers qi,ai, . . . ,aj-i,qj it sent and received 
from Pi in previous roundj^. 

2. Party pi chooses a fresh random string in each round, that is, in round j, party pi chooses with 
uniform distribution a random string that is consistent with the queries and answers it got in 
the previous rounds (since we assume that the parties are computationally unbounded, such 
choice is possible). Party pi uses this random string to answer the jth query. In other words, 
we can consider pi as applying an algorithm Aj to compute the jth answer; this algorithm 
depends on the previous queries and answers and uses an independent random string rj. 

We next claim that Aj is 2e-differentially private. That is, we claim that the probability that 
aj is generated given the previous queries and answers is roughly the same when pi holds the bit 
and when pi holds the bit 1. For a transcript c of the first j rounds between pi and the curator 
C and for Xi G {0, 1}, we denote by i?^* the set of all random strings r, such that pi with private 
input Xi and random input r sends at each round messages according to c, provided it received 
all messages according to c in previous rounds. Recall that Pr[rj S R^^] is denoted af(xi). Let 
Cj = qi,ai, . . . , qj-i,aj-i,qj,aj be a j-round transcript and let c'j = gi, oi, . . . , qj-i,aj-i,qj be the 
prefix of cj without the jth round answer aj (that is, cj = c'j o aj). Note that, since rj must be 
consistent with the c'j, it holds for every Xi £ {0, 1} that Pr[A_,(xi) = aj] = Pr[rj G Rc^Vj ^ ^^J\- 
We therefore need to show that 




To show that, we use the following two facts, which follow from Definition 12.121 




(10) 



and 





Hence, we have 



A ¥T[Aj{l) = aj] 
"Pr[^,(0) = a,] 



i 



Pr[r^ G R^] 1 

Pr[rj- G Rl^\ Pr[rj G 
Pr[r, G Rl,] ■ Pr[r, G R^] 

3 



Pr[r,-Gi?o Ar, Gi?0] 



10 



To simplify notation, we omit the subscript i from the queries and answers. 
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Now, by using the right inequahty in Equation (jlOp and the left inequahty in Equation (jlip . we 
get that r < e^^ and similarly, by using the left inequality in Equation (llOp and the right inequality 
in Equation (jlip . we get that r > e~'^^. Thus, the answers of the n parties in round j are 2e-private, 
and we can apply Corollary 14.61 to the concatenation of the n answers. 

We now use the above protocol to construct a protocol Hi between a single party, holding 
a one bit input x and a curator. Throughout the execution of the protocol the party simulates 
all n parties as specified by the original protocol 11 (i.e., sends messages to the curator with the 
same distribution as the n parties send them). If the bit of the party in Hi is 1 it chooses the n 
input bits of the n parties in 11 according to distribution A. If the bit of the party in Hi is it 
chooses the n input bits of the n parties in 11 to be the all-zero vector. By Corollary 14.61 we can 
apply the composition lemma - Lemma 14.81 - to the composition of the i, 2e-differentially private, 
non-interactive protocols and the lemma follows. □ 

Corollary 4.10 Let < e < 1. For every u > 32 and for every set D of views in an i-round, 
e- differentially private, local protocol, 

Pr[Viewc(0) . D] > ^ "1 " < ' »P ("C " 32)V32d) 



exp {Iv/d) 



Proof: Let 



and 



= |c G D : Pr[Viewc(X) = c] < exp {lu/d) Pr[Viewc(0) = c] 
I?2 = |c G -D : Pr[Viewc(X) = c] > exp {(.v/d) Pr[Viewc(0) = c]| . 



That is, D2 = D\Di. By Lemma SJl Pr^[Viewc(X) G D2] < £exp {-{u - 32f /32d) , and, 
furthermore, Pr[Viewc(0) G Di] > Pr^[Viewc(X) G Di]/ exp {iu/d). Thus, 



Pr[Viewc(0) G L»] > Pr[Viewc(0) G Di] > 



> 



Pr^[Viewc(X) G Di] 

Pr^[Viewc(X) G Z?] - Pr^[Viewc(X) G D2] 
Pr^[Viewc(X) G D] - £e-('^-32)V32d 



□ 

4.3 Completing the Lowerbound for Gap-Threshold and Sum in the Local 
Model 

We now complete the proof that in any ^-round, e-differentially private, local protocols for the 
gap-threshold function, namely, GAP-TRo,r, if t ^ ^Jn and I is small, then the curator errs with 
constant probability. 

Recall that we constructed the distribution A in which each bit in the input is chosen (inde- 
pendently at random) to be one with probability a and zero with probability 1 — a. Lemma |4. 11 1 
which follows from a standard Chernoff bound argument, states that when generating a vector 
{Xi, . . . , Xn) according to A, the sum ^"^^^ Xi is concentrated around its expected value, which is 
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an (recall that a = 1/ {£\/ dn)). We apply the following Chernoff bound: Given n zero-one random 
variables Xi, . . . , Xn and < t < 1, Pr Xi < {\ — < exp ( — ^ ) , where /u = Yll=i "^[^i]- 



Lemma 4.11 Pr^ Er=i -'^i < (1 - t)""-] < exp 



2e\/d 



for every < 7 < 1. 



Proof: We use the above bound with u = an = Thus, 



Pr 

A 



.i=l 



< exp 



< exp 



an^ 



2£^/dJ ' 



□ 

On one hand, by Corollarv l4.10l the distributions on the outputs when the input vector is taken 
from A and when it is the all zero vector are not far apart. On the other hand, by Lemma |4. 11 ^ 
with high probability the number of ones in the inputs distributed according to A is fairly big. 
These facts are used in Theorem 14.121 to prove the lowerbound. 

Theorem 4.12 Let < e < 1. There exist constants c > and p > such that in any i-round, 
£- differentially private, local protocol for computing GAP-TRg^,- for t 
with probability at least p. 



'e£^/\oge 



the curator errs 



Proof: Fix any ^-round, e-differentially private, local protocol for computing GAP-TRq^t- Recall 
that in the local model the curator is assumed to be deterministic. Thus, the curator, having seen 
its overall view of the execution of the protocol c, applies a deterministic algorithm G to c, where 
G{c) is the output of the protocol (which supposed to answer GAP-TRo,r(a;i, • • • ,Xn) correctly). 
Let r = an/2 = Vn/(2e\/ci). 

Denote by D the set vectors of communication for which the curator answers 1, i.e., D = 
{c : G(c) = 1}. The idea of the proof is as follows. If the probability of D under the distribution A 
is small, then the curator has a big error when the inputs are distributed according to A. Otherwise, 
by Corollary I4.10| the probability of D when the inputs are all zero is big, hence the curator has a 
big error when the inputs are the all-zero string. Formally, there are two cases: 

Case I: Pr_4[D] < 0.99. We consider the event that the sum of the inputs is at least r = an/2 and 
the curator returns zero as an answer, that is, the curator errs. 

We show that when the inputs are distributed according to A the probability of the comple- 
mentary of this event is bounded away from 1. By the union bound the probability of the 
complementary event is at most Pr_4 Xi < 0.5an] + Pr_4[L']. By Lemma [4. 11^ 



Pt\D] + Pr 
A A 



< O.San 



i=l 



< 0.99 + exp (|-0.25A/n/(2e\/d)) ^ 0.99. 



Thus, in this case, with probability ~ 0.01 the curator errs. 
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Case II: Pr^[L'] > 0.99. Here, we consider the event that the input is the all-zero string and the 
curator answers 1, that is, the curator errs. 

We use Corollary 14.101 and show that when the inputs are all zero, the probability of this 
event is bounded away from when taking v = 6{£log£) and d = £u = 9{i'^ log^), 

Pr^[Dl -£exp(-(z/-32)V32d) 0.99-0.5 
Pr Viewc eD] > ^ ^ V „ — '- > -— > 0.01. 

^ ' ^ - exp{eu/d) exp(l) 

Thus, in this case, with probability at least 0.01, the curator errs. As d = 9{£'^ log£), we get 
that r = ^/{2eVd) = e{^/ {e£y/\ogl)). 

□ 

By applying the local model variant of Corollary 12.161 we get our lowerbound for SUM„ as a 
corollary of Theorem 14.121 

Corollary 4.13 Let < e < 1. There exist constants (5 > and p > such that in any £-round, 
£- differentially private, local protocol for computing SUM„ the curator errs with probability at least 

Proof: Let 11 be an ^-round, e-differentially private, local protocol for computing SUM„, for 
which the curator errs by at most r with probability at most p. By Corollary 12.161 there exists an 
£-round, e-differentially private, local protocol for computing GAP-TRo,2r errs with probability at 
most p. □ 



5 Lowerbounds for Binary Sum and Gap- Threshold in the Dis- 
tributed Model 

We prove that, in any £-round, fixed-communication, (t, e)-differentially private protocol computing 
the binary sum with additive error less than ^/n/0{£), the number of messages sent in the protocol 
is Q(nt). In the heart of our proof is the more general observation that in the information theoretic 
setting, a party that has at most t neighbors must protect its privacy with respect to his neighbors, 
since this set separates it from the rest of the parties. Thus, any such party, is essentially as limited 
as any party participating in a protocol in the local communication model. 



5.1 From Distributed to Local Protocols 

We start with the transformation of a distributed protocol, using a small number of messages to a 
protocol in the local model. 

Lemma 5.1 If there exists an £-round, fixed communication, {t,e)- differentially private protocol 
that {^,t)- approximates SUM„ sending at most n{t + l)/4 messages, then there exists an (i + 1)- 
round, e-differentially private protocol in the local model that {■j,t)- approximates SUM„/2- 

Proof: The intuition behind the proof is that in the information theoretic model if an input of a 
party affects the output, then the neighbors of this party must learn information on its input. Recall 
that a party in a protocol n is lonely if it communicates with at most t other parties and it is popular 
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otherwise. If a party pi is lonely then it has most t neighbors, thus, from the privacy requirement 
in {t, e)-differentially private protocols, they are not allowed to learn "too much" information on 
the input of pi. Therefore, the inputs of lonely parties cannot affect the output of the protocol by 
too much, thus, since there are many lonely parties, the protocol must have a large error. 

Formally, assume that there is a distributed protocol 11 satisfying the conditions in the lemma. 
As the protocol sends at most n{t + l)/4 messages, the protocol uses at most n{t + l)/4 channels. 
Since each channel connects two parties, there are at least n/2 lonely parties. We will construct 
a protocol in the local model which (7, r)-approximates SUM„/2 i^i two steps: In the first step, 
which is the main part of the proof, we construct a protocol V in the local model which (7, r)- 
approximates SUM„ and only protects the privacy of the lonely parties. In the second step, we fix 
the inputs of the popular parties and obtain a protocol V' for n/2 parties that protects the privacy 
of all parties. 

First Step. We convert the distributed protocol 11 to a protocol V in the local model as follows: 
Recall that in the local model each round consists of two phases where in the first phase the curator 
sends queries to the parties and in the second phase parties send the appropriate responses. We 
hence have a single round in V for every round of 11 such that every message m that Party pj sends 
to Party pk in round i in protocol 11, Party pj sends m to the curator in round i and the curator 
sends m to Party pk in the first phase of round i + 1. Finally, at the end of the protocol Party pi 
sends the output to the curator. 

We next prove that V protects the privacy of lonely parties. Without loss of generality, let 
pi be a lonely party, let T be the set of size at most t containing the neighbors of pi, and let 
R = {pi, . . . ,pn} \ {T [J {pi}). See Figure [T] for a description of these sets. Fix any neighboring 
vectors of inputs x and x' which differ on xi. The view of the curator in V contains all messages 
sent in the protocol. It suffices to prove that for every view v, 

Pr[ViewJ(x) = v] < ■ Pr[View^(x') = v] (12) 

(by simple summation it will follow for every set of views V). 




Figure 1: The partition of the parties to sets. 

Fix a view v of the curator. For a set A, define a a and a' a as the probabilities in 11 that in 
each round the set A with inputs from x and x' respectively sends messages according to v if it gets 
messages according to v in previous rounds (these probabilities are taken over the random inputs 
of the parties in A). Observe that if pi ^ A, then a a = olj^ (since x and x' only differ on x\). By 
simulating pi, T, i? by three parties and applying Lemma 12.101 arid by the construction of V from 
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n 



Pr [View^(x) = t>] = a^p-^y ax ■ cxr, and 
Pr [ViewJ(x') = = a'^^^y a'rp ■ a'j^ = a'^^^y ar ■ or. 

Thus, proving Equation ()12p is equivalent to proving that 

a{pi} < e'a\p^y. (13) 

We use the {t, e)-privacy of protocol 11 to prove Equation ([T3|). Let vt be the messages sent and 
received by the parties in T in v. As T separates pi from R, the messages in vt are all messages 
in V except for the messages exchanged between parties in R. The view of T includes the inputs 
of T in X, the messages vt, and the random inputs rx = {r^ : pi £ T}. For a set A, define /3a and 

as the probabilities that in 11 in each round the set A with inputs from x and x' respectively 
sends messages according to vt if it gets messages according to vt in previous rounds. Note that 
/3|p^} = a{pi} and /3|p^| = ck'jp^} by the definition of V. By simulating pi, T, R by three parties, 
where the random inputs of T are fixed to tt, and by Lemma 12.101 

Pr[View^(x) = (xT,rT,-UT)] = a{pi} • f^R, and 
Pr[Viewn(x') = (xt, tt, t^t)] = • /3'r = a[p^y ■ (3r. 

(recalling that xx = xl^). The above probabilities are taken over the random strings of R and pi 
when the random strings of T are fixed to rx- The (t, e)-differential privacy of 11 implies that 

Pr[View5i(x) = (xx,rx,fT)] < Pr[View5^(x') = (xx,rx,fT)]- 

Thus, a{pi} < s'^ct'ip^} and, therefore, V is e-differentially private with respect to inputs of lonely 
parties. 



Second Step. There are at least n/2 lonely parties in 11; without loss of generality, parties 
pi, . . . ,Pn/2 are lonely. We construct a protocol V' that (7, r)-approximates SUM„/2 by executing 
Protocol V where (i) Party pi, where 1 < i < n/2, with input Xi sends messages in V' as the party 
Pi with input Xi sends them in V\ and (ii) In addition, the party pi in V' simulates all other n/2 
parties in "P, that is, for every n/2 < i < n, it chooses a random input for pi and in every round 
it sends to the curator the same messages as pi would send with Xj = and rj. Since the curator 
sees the same view in V and V' and since the privacy of lonely parties is protected in V, the privacy 
of each of the n/2 parties in V' is protected. Protocol V , therefore, (7, r)-approximates SUM„/2 
(since we fixed Xj = for n/2 < i < n and V' returns the same output distribution of H, which 
(7, T)-approximates SUM„ for all possible inputs). □ 

We are now ready to state the main theorem of this section. 

Theorem 5.2 Let < e < 1. There exist constants (5 > and 7 > such that in any i-round, 
fixed- communication, {t,e)- differentially private protocol for approximating SUM„ that sends at 

most n{t + l)/4 messages the protocol errs with probability at least 7 by at least j^^=. 
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Proof: Assume, for sake of contradiction, that there is an £-round, (t, e)-differentially private 
protocol n for computing SUM„, which sends at most n(i + 1)/4 messages and errs by at most r = 
etj^gi ^^^^ probabiUty at least 1 — 7. By Lemma [5 . 1 1 there exists an (^ + l)-round, e-differentially 

private, local protocol V for computing SUM„/2 which errs by at most r = ^^^^^ = ^^^^^ with 
probability at least 1 — 7. This contradicts Corollary I4.13[ □ 

Theorem 15 . 21 suggests that whenever we require that the error of a differentially private protocol 
for approximating SUM to be of magnitude smaller than y/n/e, there is no reason to relinquish 
the simplicity of the natural paradigm for constructing protocols. In this case, it is possible to 
construct relatively simple efficient SFE protocols, which use 0{nt) messages, and compute an 
additive (0(l/e), 0(l))-approximation of SUM. 

Remark 5.3 It can also be shown that in any i-round, fixed- communication, (t,e)- differentially 
private protocol computing the GAP-TRK,r> for any < n < n — r, the number of messages sent in 
the protocol is Q{nt), for t = y/n/0{i). To show this, use the ideas similar to those of Lemma \5.1\ 
and apply Theorem \4.12\ to assert that any i-round, fixed- communication, {t,£)- differentially private 
protocol computing the GAP-TRo,r; the number of messages sent in the protocol is ^}{nt), for 
T = ^/n/0{£). Then, using Claim 2.17, infer that the same is true for general k. 



6 SFE for Symmetric Approximations of Binary-Sum 

In this section we show the advantage of using the alternative paradigm for constructing distributed 
differentially private protocols whenever we allow an 0(-^/n/e) approximation. Recall that it is 
possible to construct differentially private protocols for such approximations that use 2n messages 
and are secure against coalitions of size up to t = n — 1 (see Section [XT]) . We next prove, using ideas 
from Chor and Kushilevitz [5], that any SFE protocol for computing a symmetric approximation 
for SUM„, using less than nt/4 messages, has error magnitude Q{n). 

We first give the definition of SFE protocols computing a given randomized function /(•). Here, 
again, we only consider protocols where all parties are honest-but-curious and compute the same 
output. The definition is given in the information-theoretic model. 

Definition 6.1 (SFE) Let f : ({0, 1}*)" — >• {0, 1}* be an n-ary randomized function. Let 11 be an 
n-party protocol for computing f . For a coalition T C {1, . . . , n}, the view ofT during an execution 
of II on X = (xi . . . Xn), denoted ViewT(x), is defined as in Definition \2.4\ i.e., Viewr(j;i, . . . , Xn) 
is the random variable containing the inputs of the parties in T (that is, {xi\^^j-), the random 
inputs of the parties in T , and the messages that the parties in T received during the execution of 
the protocol with inputs x = (xi, . . . , 

We say that 11 is a t-secure protocol for f if there exists a randomized function, denoted S, such 
that for every t' < t, for every coalition T = {ii, . . . , z^/}, and for every inputs x = (xi . . . the 
following two random variables are identically distributed: 

• {5(r, (xj^ , . . . , Xj^, ), o), o}, where o is obtained first by sampling /(x) (recall that f is a ran- 
domized function) and then S is applied to (T, (xj^ , . . . , Xj^, ), o) . 

• {Viewj'(x), Output'^(Viewr(x))} , where Output'^ (ViewT'(x)) denotes the output during the 
execution represented in Viewy (x). 
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Claim 6.2 Let y and z be two inputs and T be a coalition of size at most t such that /(y) and 
/(z) are identically distributed and yi = Zi for every i £ T. In every t-secure protocol for f , for 
any possible view vt of the set T , it holds that Pr [Viewj'(y) = vt] = Pr [ViewT(z) = vt\- 

Proof: Let T = {ii, . . . , i^/} for t' <t. The two random variables {^(r, (y^^ , • • • , yi^,) , o), o} and 
{5(r, (zjj , . . . , Zj^, ), o), o} (as defined in Definition 16. ip are identically distributed since /(y) and 
/(z) are identically distributed. Hence, by the t-security of the protocol, so do {ViewT'(y), Output'^(y)} 
and {ViewT(z), Output" (z)}. □ 

Definition 6.3 (Symmetric Randomized Function) We say that a randomized function f 
over domain D with range R is symmetric if it does not depend on the ordering on the coordi- 
nates of the input, i.e., for every [xi^ . . . ,Xn) G -D" and every permutation vr : [n] — )• [n] the 
distributions (over R) implied by f{xi, . . . and by /(x^(i), . . . are identical. 

Note that allowing 0{nt) messages, it is fairly straightforward to construct a symmetric (t, e)- 
differentially private protocol with constant (0(l/e)) additive error for SUM„, using the natural 
paradigm with, say, the e-private approximation described in Example 12.31 The following lemma 
shows that Vl{nt) messages are essential whenever a symmetric approximation for SUM„ is com- 
puted by an SFE protocol, even if it is not required to preserve differential privacy. 

Lemma 6.4 Let f be a symmetric randomized function approximating SUM„ such that for every 



input vector x, it holds that Pr 



/(x) - SUM(x) < n/4 < 1/2, and let t < n-2. Every fixed- 



communication t-secure protocol II for computing f uses at least n{t + l)/4 message. 
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Proof: Let H be a t-secure protocol computing / using less than n{t + l)/4 messages. Then, 
there are at least n/2 lonely parties in H. The intuition for the proof is that a lonely party does 
not affect the computation, since its neighboring set, being smaller than t-\-l, would otherwise be 
able to infer information about its input. The proof is given in two steps. In the first step, we show 
that for any given lonely party pi, for any fixed inputs for all other parties, and for any transcript 
c of the protocol, the probability of c being the transcript of the protocol when Xj = is exactly 
the same as the probability of c being the transcript of the protocol when Xj = 1. In the second 
step of the proof, we use this to show that with probability at least 1/2, the protocol errs by n/4. 

Without loss of generality, assume pi is lonely and assume p2 is not a neighbor of pi. Let T 
be the set of pi's neighbors and let R = {pi, . . . \ (T U {pi}) (in particular, p2 G R). Recall 
that for a transcript c we denote by a\{xi), the probability that pi is consistent with c with input 
xi, namely, the probability that pi with input xi sends at each round messages according to c, 
provided it received all messages according to c in previous rounds. Our goal in the first part of 
the proof is to prove that for any transcript of the protocol c, it holds that a\{^) = ai(l). Toward 
this end, we pursue the following proof structure. 

• We first consider two inputs z and y such that SUM(z) = SUM(y), yi = Zi for every i £ T, 
but 7/1 = while zi = 1. For every communication c exchanged in 11, denote ct to be the 



^^We note that the lemma does not hold for non-symmetric functions. For example, we can modify the bit flip 
protocol described in Section [3] to an SFE protocol for a non-symmetric function, retaining the number of messages 
sent (but not their length): in Step ([2]) pi also sends z = (zi, . . . , z„), and in Step ([3]) each pi locally outputs f + z2~", 
treating z as an n-bit binary number. 
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messages sent and received by the parties in T. By Claim 16.21 since / is symmetric, the 
probabihty of ct is the same with z and with y. 

• We simulate the protocol 11 by a three-party protocol H', where the parties are pi, T, 
and R, and each one of them simulates the respective set of parties in 11. We then use 
Lemma 12.101 to write the probability that ct is the communication exchanged in 11 as a prod- 
uct of a5^(xi), ajr(xT), and a^(xR,), where xt (respectively, xr,) are the inputs of parties 
in T (respectively, in R). We conclude that 

aTivi) • "^^^(yT) • ofj^iyR) = aiizi) ■ a^^(zT) • a'j^izR). 
Furthermore, a^f (yt) = ajf{zT^) (since yx = zt), thus, 

• We then assert, by considering all prefices of ct, that each factor of these two multiplications 
is the same in both cases and hence af(0) = a^^(O) = a1^{l) = ai(l). 

Formal proof. Fix any inputs x^, . . . ,Xn for the parties p^, . . . ,pn- Let y be the input vector 

Hi =0,2/2 = 1, and ^A: = for 3 < A; < n, 
and let z be the input vector 

zi = 1,Z2 = 0, and Zk = for 3 < /c < n. 

We first claim that the distribution over the views of T when the protocol is executed with y is 
the same as when the protocol is executed with z. As SUM(y) = SUM(z) and / is symmetric, 
/(y) and /(z) are identically distributed. Hence, by Claim 16.21 for any possible view vt of the 
set T, it holds that Pr [ViewT(y) = vt\ = Pr [Viewr(z) = vt\- Thus, since the view of T contains 
the transcript ct of messages sent between the parties in T and the parties in {p\} U R, we have 
that for any such possible transcript cr, the probability that the parties send messages according 
to Ct is the same when the protocol is executed with y and when the protocol is executed with z. 
Furthermore, for any possible prefix of any transcript ct of T, the probability of messages sent 
according to drp when executing LI with input y is the same as when executing 11 with input z. This 
is true as this probability is merely the sum over the probabilities of all transcripts completing c^. 

Without loss of generality, we can analyze the execution of the protocol as if at each round only 
a single message is sent by a single party. Let j be such that pi sends a message in round j and 
denote by hj = hj-i,mj, the prefix of ct also viewed by pi (messages sent or received by pi) in 
the first j rounds, where /ij-i is the history of messages viewed by pi in the first j — 1 rounds, and 
nij is the message pi sends in round j, according to ct- By the argument above, the probabilities 
of hj-i being seen by pi are the same when the protocol is executed with y and when the protocol 
is executed with z and the probabilities of hj being seen by pi are the same when the protocol is 
executed with y and when the protocol is executed with z. Thus, the probabilities of pi sending mj 
having seen message history /ij-i are the same when xi = and when xi = 1. Since the probability 
of pi being consistent with a view ct (of T) is the product of the probabilities that it is consistent 
at each round, we have (0) = a^'^(l). Let c be a full transcript of the protocol, and ct be its 
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restriction to messages sent between parties in T and parties in {pi }UR. Since pi does not see any 
message in c that is not in ct, it holds for every xi that a\{xi) = a^^(xi). Thus, a.\{d) = 0^(1). 

Hence, we proved that for any lonely party pj, and any full transcript of the protocol c, it holds 
that a?(0) = a^(l). Consider the all zero input vector and the input vector x such that Xj = 1 if 
and only if pi is lonely. By Lemma 12.101 we have that for any given full transcript c, the probability 
of c being exchanged with is exactly the probability of c being exchanged with x. Thus, if with 
probability at least 1/2, when executing the protocol with 0, the exchanged transcript implies a 
value less than n/4, then with probability at least 1/2, the protocol errs by at least n/4 when 
executed with x. Otherwise, with probability at least 1/2, the protocol errs by at least n/4 when 
executed with 0. □ 
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